If you use this, I would be very pleased if you can click the Thank You button at the bottom right of this post.

Thank You.

PappaJohn

12-06-2009, 12:14 AM

So, any miscreant who happens by can mischievously reset the admins password ... and this deserves 'thanks'?

And, you really shouldn't be coding forms that rely on javascript - not everybody browses with javascript enabled.

bucket

12-06-2009, 12:34 AM

The password would be reset and sent to the administrators email.

So other people will not be able to get it.

There is no java script there, its something simple and not major.

PappaJohn

12-06-2009, 12:56 AM

I didn't say the prankster would be able to get it, but nonetheless the admin's password has been reset. He won't be able to gain access until he reads his mail, and even then, he has to go in and reset his password even though he didn't request the change - causing him wasted, unnecessary effort.

Okay, also he doesnt have to reset his password since it was already reset, all he needs to do is check his email for his new password.

Also, what should I add to make it prankster proof?
Should I add a Username textbox?

PappaJohn

12-06-2009, 01:03 AM

Okay, also he doesnt have to reset his password since it was already reset
Correct - to a password not of his choosing.

bucket

12-06-2009, 01:12 AM

Okay,
Also, what should I add to make it prankster proof?
Should I add a Username textbox?

PappaJohn

12-06-2009, 03:48 AM

Requiring a username would add little to no security.

One common method is to record the request, together with a secure, random token. You send an email that contains a link which includes the token. When the user clicks the link, you verify the token, generate the random password and email it to the user. As added security, you can require the user to change the generated password on their first visit.

There are quite a few tutorials on the subject.

seco

12-06-2009, 05:33 AM

I didn't say the prankster would be able to get it, but nonetheless the admin's password has been reset. He won't be able to gain access until he reads his mail, and even then, he has to go in and reset his password even though he didn't request the change - causing him wasted, unnecessary effort.